cloud-iam-deep

Analyzes cloud IAM vulnerabilities across AWS, Azure, and GCP, focusing on external exploitation and privilege escalation techniques.

Install this skill

38/100

Security score

The cloud-iam-deep skill was audited on Jun 10, 2026 and we found 30 security issues across 3 threat categories. Review the findings below before installing.

Categories Tested

Security Issues

medium line 158

Curl to non-GitHub URL

SourceSKILL.md

158	curl http://169.254.169.254/latest/meta-data/iam/security-credentials/

medium line 161

Curl to non-GitHub URL

SourceSKILL.md

161	curl http://169.254.169.254/latest/meta-data/iam/security-credentials/<role-name>

medium line 165

Curl to non-GitHub URL

SourceSKILL.md

165	curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"

medium line 167

Curl to non-GitHub URL

SourceSKILL.md

167	curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/iam/security-credentials/

medium line 213

Curl to non-GitHub URL

SourceSKILL.md

213	curl -H "Authorization: Bearer $TOKEN" "https://management.azure.com/subscriptions?api-version=2020-01-01"

medium line 308

Curl to non-GitHub URL

SourceSKILL.md

308	curl -sk "https://k8s.target.com:6443/api/v1/namespaces"

medium line 311

Curl to non-GitHub URL

SourceSKILL.md

311	curl -sk "https://k8s.target.com:6443/api/v1/pods?limit=1"

low line 428

Access to .env file

SourceSKILL.md

428

.env.js

medium line 517

Access to .env file

SourceSKILL.md

517	- `hunt-cloud-misconfig` — Public buckets and exposed configs are the most common credential-leak vector. Chain primitive: Cloud misconfig (`.env` in public S3) + leaked AWS access key → IAM enume

low line 158

External URL reference

SourceSKILL.md

158	curl http://169.254.169.254/latest/meta-data/iam/security-credentials/

low line 161

External URL reference

SourceSKILL.md

161	curl http://169.254.169.254/latest/meta-data/iam/security-credentials/<role-name>

low line 165

External URL reference

SourceSKILL.md

165	curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"

low line 167

External URL reference

SourceSKILL.md

167	curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/iam/security-credentials/

low line 207

External URL reference

SourceSKILL.md

207	# Endpoint: http://169.254.169.254/metadata/identity/oauth2/token

low line 209

External URL reference

SourceSKILL.md

209	"http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/"

low line 213

External URL reference

SourceSKILL.md

213	curl -H "Authorization: Bearer $TOKEN" "https://management.azure.com/subscriptions?api-version=2020-01-01"

low line 217

External URL reference

SourceSKILL.md

217	"http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://vault.azure.net"

low line 221

External URL reference

SourceSKILL.md

221	"http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://graph.microsoft.com"

low line 294

External URL reference

SourceSKILL.md

294	"http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token"

low line 299

External URL reference

SourceSKILL.md

299	"https://cloudresourcemanager.googleapis.com/v1/projects"

low line 308

External URL reference

SourceSKILL.md

308	curl -sk "https://k8s.target.com:6443/api/v1/namespaces"

low line 311

External URL reference

SourceSKILL.md

311	curl -sk "https://k8s.target.com:6443/api/v1/pods?limit=1"

low line 315

External URL reference

SourceSKILL.md

315	kubectl --token=$TOKEN --server=https://k8s.target.com:6443 --insecure-skip-tls-verify get namespaces

low line 316

External URL reference

SourceSKILL.md

316	kubectl --token=$TOKEN --server=https://k8s.target.com:6443 --insecure-skip-tls-verify auth can-i --list

low line 317

External URL reference

SourceSKILL.md

317	kubectl --token=$TOKEN --server=https://k8s.target.com:6443 --insecure-skip-tls-verify get pods -A

low line 318

External URL reference

SourceSKILL.md

318	kubectl --token=$TOKEN --server=https://k8s.target.com:6443 --insecure-skip-tls-verify get secrets -A

low line 494

External URL reference

SourceSKILL.md

494	1. Andres Riancho — "Misconfigured Cognito Identity Pools" (2020, refreshed 2023) — original research establishing the attack class. `GetCredentialsForIdentity` against unauth pools with default `

low line 496

External URL reference

SourceSKILL.md

496	3. NotSoSecure / Claranet — "Exploiting weak configurations in Amazon Cognito" (Nov 2023) — walkthrough of identityPoolId extraction → assume guest role → S3/DynamoDB/Lambda enumeration. Calls out

low line 497

External URL reference

SourceSKILL.md

497	4. HackTricks Cloud — `aws-cognito-unauthenticated-enum` — canonical playbook covering Steps 1-5. [cloud.hacktricks.wiki](https://cloud.hacktricks.wiki/en/pentesting-cloud/aws-security/aws-unauthe

low line 499

External URL reference

SourceSKILL.md

499	6. Datadog Security Labs — "Following AWS Logs Backwards: Cognito Identity Pool Abuse" (2024) — telemetry across Datadog customer base showing real-world Cognito pool abuse. Non-trivial percentage

Scanned on Jun 10, 2026

View Security Dashboard

Installation guide →

GitHub Stars 2.2K

Rate this skill

Categorydevelopment

UpdatedJune 15, 2026

frontend design docx git api database testing devops mobile backend security-engineer ml-ai-engineer devops-sre aws azure gcp development

elementalsouls/Claude-BugHunter